1 About the Connector
Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with external, identity-aware applications. This guide discusses the connector that enables you to use Siebel Enterprise Applications as a managed (target) resource for Oracle Identity Manager.
Note:
At some places in this guide, Siebel Enterprise Applications has been referred to as the target system.
In the account management (target resource) mode of the connector, information about users created or modified directly on the target system can be reconciled into Oracle Identity Manager. In addition, you can use Oracle Identity Manager to perform provisioning operations on the target system.
This chapter contains the following sections:
1.1 Certified Components
Table 1-1 lists the certified components for this connector.
Table 1-1 Certified Components
Item | Requirement |
---|---|
Oracle Identity Governance or Oracle Identity Manager |
You can use one of the following releases of Oracle Identity Governance or Oracle Identity Manager:
|
Target systems |
The target system can be any one of the following:
Note: Siebel Connector needs JDK 1.8 or later as a minimum version to work with Siebel IP 2017, IP 2018, Siebel 19.x, and 20.x and 23.x target systems. |
Connector Server |
11.1.2.1.0 |
Connector Server JDK and JRE |
This requirement must be as follows:
Note: If you are using Siebel Innovation Pack 2017, 2018, Siebel 19.x, or 20.x see Understanding the JDK Requirement for Siebel IP 2017, Siebel IP 2018, Siebel 19.x, or Siebel 20.x for information related to JDK requirement. |
External code |
Depending on the target system that you use, obtain one of the following dependent libraries from the target system:
|
1.2 Usage Recommendation
Depending on the Oracle Identity Manager version that you are using, you must deploy and use one of the following connectors:
-
If you are using an Oracle Identity Manager release 9.1.0.2 or later and earlier than Oracle Identity Manager 11g Release 1 (11.1.1.5.0), then you must use the 9.0.4.x version of this connector.
-
If you are using Oracle Identity Manager 11g Release 1 (11.1.1.5.0) or later, Oracle Identity Manager 11g Release 2 BP04 (11.1.2.0.4) or later, or Oracle Identity Manager 11g Release 2 PS3 (11.1.2.3.0), then use the latest 11.1.1.x version of this connector.
1.3 Certified Languages
This release of the connector supports the following languages:
-
Arabic
-
Chinese Simplified
-
Chinese Traditional
-
Danish
-
English
-
French
-
German
-
Italian
-
Japanese
-
Korean
-
Portuguese (Brazilian)
-
Spanish
1.4 Connector Architecture
Figure 1-1 shows the architecture of the connector.
The Siebel User Management connector is implemented by using the Identity Connector Framework (ICF). The ICF is a component that provides basic reconciliation and provisioning operations that are common to all Oracle Identity Manager connectors. In addition, ICF provides common features that developers would otherwise need to implement on their own, such as connection pooling, buffering, time outs, and filtering. The ICF is shipped along with Oracle Identity Manager. Therefore, you need not configure or modify the ICF.
See Also:
Understanding the Identity Connector Framework in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for more information about the ICF
The connector can be configured to run in one of the following modes:
-
Identity reconciliation
Identity reconciliation is also known as authoritative or trusted source reconciliation. In this form of reconciliation, the target system is used as the trusted source and users are directly created and modified on it.
During reconciliation, a scheduled job (an instance of the scheduled task) establishes a connection with the target system and sends reconciliation criteria to the APIs. The APIs extract user records that match the reconciliation criteria and hand them over to the scheduled job, which brings the records to Oracle Identity Manager. The next step depends on the mode of connector configuration.
Each record fetched from the target system is compared with existing OIM Users. If a match is found, then the update made to the record on the target system is copied to the OIM User attributes. If no match is found, then the target system record is used to create an OIM User.
-
Account Management
Account management is also known as target resource management. In the account management mode, the target system is used as a target resource. This mode of the connector enables the following operations:
-
Provisioning
Provisioning involves creating or updating users on the target system through Oracle Identity Manager. When you allocate (or provision) a Siebel resource to an OIM User, the operation results in the creation of an account on Siebel for that user. In the Oracle Identity Manager context, the term provisioning is also used to mean updates made to the target system account through Oracle Identity Manager.
During provisioning, adapters carry provisioning data submitted through the process form to the target system. Siebel APIs accept provisioning data from the adapters, carry out the required operation on Siebel, and return the response from Siebel to the adapters. The adapters return the response to Oracle Identity Manager.
-
Target resource reconciliation
In target resource reconciliation, data related to newly created and modified target system accounts can be reconciled (using scheduled jobs) and linked with existing OIM Users and provisioned resources.
-
1.5 Features of the Connector
The following are features of the connector:
1.5.1 Dependent Lookup Fields
If you have multiple installations of the target system, the entries in lookup definitions (used as an input source for lookup fields during provisioning) can be linked to the target system installation from which they are copied. Therefore, during a provisioning operation, you can select lookup field values that are specific to the target system installation on which the provisioning operation is being performed.
See Lookup Definitions Synchronized with the Target System for more information about the format in which data is stored in dependent lookup definitions.
1.5.2 Full and Incremental Reconciliation
After you deploy the connector, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Manager. After the first full reconciliation run, incremental reconciliation is automatically enabled. In incremental reconciliation, user accounts that have been added, modified, or deleted since the last reconciliation run are fetched into Oracle Identity Manager.
You can perform a full reconciliation run at any time.
See Performing Full Reconciliation for more information.
1.5.3 Limited Reconciliation
You can set a reconciliation filter as the value of the Custom Recon Query attribute of the user reconciliation scheduled job. This filter specifies the subset of added and modified target system records that must be reconciled.
See Performing Limited Reconciliation for more information.
1.5.4 Reconciliation Based on User Type
You can specify the Siebel user type (Employee or User) for which you want to reconcile records from the target system.
See Reconciliation Based on User Type for more information.
1.5.5 Reconciliation of Deleted User Records
You can configure the connector for reconciliation of deleted user records. In target resource mode, if a record is deleted on the target system, then the corresponding Siebel resource is revoked from the OIM User. In trusted source mode, if a record is deleted on the target system, then the corresponding OIM User is deleted.
See Scheduled Job for Reconciliation of Deleted Users Records for more information about scheduled jobs used for reconciling deleted user records.
1.5.6 Transformation and Validation of Account Data
You can configure validation of account data that is brought into or sent from Oracle Identity Manager during reconciliation and provisioning. In addition, you can configure transformation of account data that is brought into Oracle Identity Manager during reconciliation. The following sections provide more information:
1.5.7 Support for Connector Server
Connector Server is a component provided by ICF. By using one or more connector servers, the connector architecture permits your application to communicate with externally deployed bundles. In other words, a connector server enables remote execution of an Oracle Identity Manager connector.
A Java connector server is useful when you do not wish to execute a Java connector bundle in the same VM as your application. It can be beneficial to run a Java connector on a different host for performance improvements.
1.5.8 Connection Pooling
A connection pool is a cache of objects that represent physical connections to the target. Oracle Identity Manager connectors can use these connections to communicate with target systems. At run time, the application requests a connection from the pool. If a connection is available, then the connector uses it and then returns it to the pool. A connection returned to the pool can again be requested for and used by the connector for another operation. By enabling the reuse of connections, the connection pool helps reduce connection creation overheads like network latency, memory allocation, and authentication.
One connection pool is created for each IT resource. For example, if you have three IT resources for three installations of the target system, then three connection pools will be created, one for each target system installation.
Setting up the Lookup.Configuration.Siebel Lookup Definition for Connection Pooling provides information about connection pooling.
1.6 Lookup Definitions Used During Reconciliation and Provisioning
Lookup definitions used during reconciliation and provisioning can be divided into the following categories:
1.6.1 Lookup Definitions Synchronized with the Target System
During a provisioning operation, you use a lookup field on the process form to specify a single value from a set of values. For example, you use the Responsibility lookup field to select a responsibility to be assigned to the user from the list of available responsibilities. When you deploy the connector, lookup definitions (with no lookup entries) corresponding to the lookup fields on the target system are created in Oracle Identity Manager. Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.
The following lookup definitions are populated with values fetched from the target system by the scheduled jobs for lookup field synchronization:
-
Lookup.Siebel.TimeZone
-
Lookup.Siebel.PersonalTitle
-
Lookup.Siebel.PreferredCommunications
-
Lookup.Siebel.EmployeeTypeCode
-
Lookup.Siebel.Position
-
Lookup.Siebel.Responsibility
The Siebel Lookup Recon scheduled job is used to synchronize values of these lookup definitions with the target system. While configuring the Siebel Lookup Recon scheduled job, you specify the name of the lookup definition that you want to synchronize as the value of the Lookup Definition Name attribute. See Scheduled Job for Lookup Field Synchronization for more information about this scheduled job.
After lookup definition synchronization, data is stored in the following format:
-
Code Key format: IT_RESOURCE_KEY~LOOKUP_FIELD_ID_OR_NAME
In this format:
-
IT_RESOURCE_KEY is the numeric code assigned to the IT resource in Oracle Identity Manager.
-
LOOKUP_FIELD_ID_OR_NAME is the target system code or name assigned to the lookup field entry.
Sample value:
1~AHA CEO
-
-
Decode format: IT_RESOURCE_NAME~LOOKUP_FIELD_ENTRY
In this format:
-
IT_RESOURCE_NAME is the name of the IT resource in Oracle Identity Manager.
-
LOOKUP_FIELD_ENTRY is the value or description of the lookup field entry on the target system.
Sample value:
SIEBEL IT Resource~AHA Headquarter
-
While performing a provisioning operation on the Administrative and User Console, you select the IT resource for the target system on which you want to perform the operation. When you perform this action, the lookup definitions on the page are automatically populated with values corresponding to the IT resource (target system installation) that you select. If your environment has multiple installations of the target system then only values that correspond to the IT resource that you select are displayed. During lookup field synchronization, new entries are appended to the existing set of entries in the lookup definitions. You can switch between multiple installations of the same target system. Because the IT resource key is part of each entry created in each lookup definition, only lookup field entries that are specific to the IT resource you select during a provisioning operation are displayed.
1.6.2 Preconfigured Lookup Definitions
This section discusses the other lookup definitions that are created in Oracle Identity Manager when you deploy the connector. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed. The other lookup definitions are as follows:
1.6.2.1 Lookup.Configuration.Siebel
The Lookup.Configuration.Siebel lookup definition holds connector configuration entries that are used during reconciliation and provisioning operations.
Table 1-2 lists the default entries in this lookup definition.
Table 1-2 Entries in the Lookup.Configuration.Siebel Lookup Definition
Code Key | Decode | Description |
---|---|---|
Bundle Name |
org.identityconnectors.siebel |
This entry holds the name of the connector bundle package. Do not modify this entry. |
Bundle Version |
1.0.1 |
This entry holds the version of the connector bundle class. Do not modify this entry. |
Connector Name |
org.identityconnectors.siebel.SiebelConnector |
This entry holds the name of the connector class. Do not modify this entry. |
User Configuration Lookup |
Lookup.Siebel.UM.Configuration |
This entry holds the name of the lookup definition that contains user-specific configuration properties. Do not modify this entry. |
1.6.2.2 Lookup.Siebel.UM.Configuration
As discussed earlier, the Lookup.Siebel.UM.Configuration lookup definition holds configuration entries that are specific to the user object type. This lookup definition is used during user management operations.
Table 1-3 lists the default entries in this lookup definition.
Table 1-3 Entries in the Lookup.Siebel.UM.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Provisioning Attribute Map |
Lookup.Siebel.UM.ProvAttrMap |
This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.Siebel.UM.ProvAttrMap for more information about this lookup definition. |
Recon Attribute Map |
Lookup.Siebel.UM.ReconAttrMap |
This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.Siebel.UM.ReconAttrMap for more information about this lookup definition. |
Provisioning Validation Lookup |
Lookup.Siebel.UM.ProvValidation |
This entry holds the name of the lookup definition that is used to configure validation of attribute values entered on the process form during provisioning operations. See Configuring Validation of Data During Reconciliation and Provisioning for more information about adding entries in this lookup definition. |
Recon Validation Lookup |
Lookup.Siebel.UM.ReconValidation |
This entry holds the name of the lookup definition that is used to configure validation of attribute values that are fetched from the target system during reconciliation. See Configuring Validation of Data During Reconciliation and Provisioning for more information about adding entries in this lookup definition. |
Recon Transformation Lookup |
Lookup.Siebel.UM.ReconTransformation |
This entry holds the name of the lookup definition that is used to configure transformation of attribute values that are fetched from the target system during user reconciliation. See Configuring Transformation of Data During User Reconciliation for more information about adding entries in this lookup definition. |
1.6.2.3 Lookup.Siebel.UM.ReconAttrMap
The Lookup.Siebel.UM.ReconAttrMap lookup definition holds mappings between resource object fields and target system attributes. This lookup definitions is used during reconciliation. This lookup definition is preconfigured. Table 1-4 lists the default entries.
You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation. See Extending the Functionality of the Connector for more information.
1.6.2.4 Lookup.Siebel.UM.ProvAttrMap
The Lookup.Siebel.UM.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definitions is used during provisioning. This lookup definition is preconfigured. **INTERNAL XREF ERROR** lists the default entries.
You can add entries in this lookup definitions if you want to map new target system attributes for provisioning. See Extending the Functionality of the Connector for more information.
1.7 Connector Objects Used During Target Resource Reconciliation
See Also:
Managing Reconciliation in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for conceptual information about reconciliation
This section discusses the following topics:
1.7.1 User Attributes for Reconciliation
The Lookup.Siebel.UM.ReconAttrMap lookup definition maps resource object fields and target system attributes. This lookup definition is used for performing target resource user reconciliation runs.
In this lookup definition, the Code Key contains the reconciliation attribute of the resource object.
The following is the format of the Code Key and Decode values in this lookup definition:
For single-valued attributes:
-
Code Key: Reconciliation attribute of the resource object
-
Decode: ATTRIBUTE_TYPE;ATTRIBUTE_NAME
In this format:
-
ATTRIBUTE_TYPE specifies the type of attribute being reconciled. This connector supports reconciliation of both user and employee attributes. Therefore, the value of ATTRIBUTE_TYPE can be
Employee, User,
orcommon.
Here,common
specifies that the attribute being reconciled is both a user and employee attribute. -
ATTRIBUTE_NAME specifies the name of the target system attribute.
-
For multivalued attributes (position and responsibility):
-
Code Key: RO_ATTR_NAME~CHILD_RO_ATTR_NAME
In this format, RO_ ATTR_NAME specifies the reconciliation field of the parent resource object. CHILD_RO_ATTR_NAME specifies the reconciliation field on the child resource object.
-
Decode: Combination of the following elements separated by semicolon (;):
ATTRIBUTE_TYPE;OBJECT_CLASS;ATTRIBUTE_NAME;TRUE_OR_FALSE
In this format:
-
ATTRIBUTE_TYPE specifies the type of attribute being reconciled. This connector supports reconciliation of both user and employee attributes. Therefore, the value of ATTRIBUTE_TYPE can be
Employee, User,
orcommon.
Here,common
specifies that the attribute being reconciled is both a user and employee attribute. -
OBJECT_CLASS is the name of the object class in which the attribute is stored. In other words, it is the business component name.
-
ATTRIBUTE_NAME is the name of the attribute.
-
TRUE_OR_FALSE is used to indicate whether the attribute is primary or secondary. For example, a value of
true
indicates that the attribute is a primary attribute. A value ofFalse
indicates that the attribute is a secondary attribute.
-
Table 1-4 lists the entries in this lookup definition.
Table 1-4 Entries in the Lookup.Siebel.UM.ReconAttrMap Lookup Definition
Resource Object Field (Code Key) | Target System Attribute (Decode) |
---|---|
Single-Valued Fields |
|
Alias |
common;Alias |
|
common;EMail Addr |
EmployeeType[Lookup] |
Employee;Employee Type Code |
Extension |
Employee;Work Phone Extension |
Fax |
common;Fax # |
FirstName |
common;First Name |
HomePhone |
common;Home Phone # |
JobTitle |
common;Job Title |
LastName |
common;Last Name |
MiddleName |
common;Middle Name |
MPosition[Lookup] |
Employee; Position;Name;true |
PreferredCommunications[Lookup] |
common;Preferred Communications |
Primary Responsibility[Lookup] |
common;Responsibility;Name;true |
Status[WRITEBACK] |
common;Responsibility;Name;true[WRITEBACK] |
Title[Lookup] |
common;Personal Title |
User ID |
common;Login Name |
WorkPhone |
common;Phone # |
Multivalued Fields |
|
Position~Position[Lookup] |
Employee; Position;Name;false |
Responsibility~Responsibility[Lookup] |
common;Responsibility;Name;false |
1.7.2 Reconciliation Rule for Target Resource Reconciliation
Learn about the reconciliation rule for this connector and how to view it.
See Also:
Reconciliation Engine in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for generic information about reconciliation matching and action rules
1.7.2.1 Target Resource Reconciliation Rule
The following is the process-matching rule:
Rule name: Siebel Recon Rule
Rule element: User Login Equals User ID
In this rule element:
-
User Login is the User ID field on the OIM User form.
-
User ID is the User ID field of Siebel.
1.7.2.2 Viewing Target Resource Reconciliation Rules in the Design Console
You can view the reconciliation rule for reconciliation by performing the following steps:
Note:
Perform the following procedure only after the connector is deployed.
- Log in to the Oracle Identity Manager Design Console.
- Expand Development Tools.
- Double-click Reconciliation Rules.
- Search for Siebel Recon Rule.
1.7.3 Reconciliation Action Rules for Target Resource Reconciliation
Learn about the reconciliation action rules for this connector and how to view them.
Note:
No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See
in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for information about setting a reconciliation action rule.
1.7.3.1 Target Resource Reconciliation Action Rules
Table 1-5 lists the action rules for Target Resource reconciliation.
Table 1-5 Action Rules for Target Resource Reconciliation
Rule Condition | Action |
---|---|
No Matches Found |
Assign to Administrator With Least Load |
One Entity Match Found |
Establish Link |
One Process Match Found |
Establish Link |
1.8 Connector Objects Used During Provisioning
Provisioning involves creating or modifying user data on the target system through Oracle Identity Manager.
This section discusses the following topics:
-
User Attributes for Provisioning
See Also:
Managing Provisioning Tasks in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for conceptual information about provisioning
1.8.1 Provisioning Functions
These are the provisioning functions that the connector supports.
Table 1-6 Provisioning Functions
Function | Adapter |
---|---|
Create User |
Siebel Create |
Delete User |
Siebel Delete |
Add User Position |
Siebel Update Child Table |
Add User Responsibility |
Siebel Update Child Table |
Delete User Position |
Siebel Update Child Table |
Delete User Responsibility |
Siebel Update Child Table |
Primary Position Updated |
Siebel Update |
Primary Responsibility Updated |
Siebel Update |
Time Zone Updated |
Siebel Update |
Email Updated |
Siebel Update |
Alias Updated |
Siebel Update |
MI Updated |
Siebel Update |
Work Phone Updated |
Siebel Update |
First Name Updated |
Siebel Update |
Last Name Updated |
Siebel Update |
Title Updated |
Siebel Update |
Home Phone Updated |
Siebel Update |
Fax Updated |
Siebel Update |
Preferred Communications Updated |
Siebel Update |
Extension Updated |
Siebel Update |
Employee Type Updated |
Siebel Update |
Job Title Updated |
Siebel Update |
User ID Updated |
Siebel Update |
Child Position Updated |
Siebel Update Child Table |
Child Responsibility Updated |
Siebel Update Child Table |
1.8.2 User Attributes for Provisioning
The Lookup.Siebel.UM.ProvAttrMap lookup definition maps process form fields with target system attributes. This lookup definition is used for performing provisioning operations.
The following is the format of the Code Key and Decode values in this lookup definition:
-
Code Key: Name of the field on the OIM User form in the Administrative and User Console. In other words, the process form field name.
-
Decode: ATTRIBUTE_TYPE;ATTRIBUTE_NAME
In this format:
-
ATTRIBUTE_TYPE specifies the type of attribute being reconciled. This connector supports reconciliation of both user and employee attributes. Therefore, the value of ATTRIBUTE_TYPE can be
Employee, User,
orcommon.
Here,common
specifies that the attribute being reconciled is both a user and employee attribute. -
ATTRIBUTE_NAME specifies the name of the target system attribute.
-
For entries corresponding to process form fields on child forms, the following is the format of the Code Key and Decode values:
-
Code Key: CHILD_FORM_NAME~FIELD_NAME
In this format, CHILD_FORM_NAME specifies the name of the child form. FIELD_NAME specifies the name of the field on the OIM User child form in the Administrative and User Console.
-
Decode: Combination of the following elements separated by semicolon (;):
ATTRIBUTE_TYPE;OBJECT_CLASS;ATTRIBUTE_NAME;TRUE_OR_FALSE
In this format:
-
ATTRIBUTE_TYPE specifies the type of attribute being reconciled. This connector supports reconciliation of both user and employee attributes. Therefore, the value of ATTRIBUTE_TYPE can be
Employee, User,
orcommon.
Here,common
specifies that the attribute being reconciled is both a user and employee attribute. -
OBJECT_CLASS is the name of the object class in which the attribute is stored. In other words, it is the business component name.
-
ATTRIBUTE_NAME is the name of the attribute.
-
TRUE_OR_FALSE is used to indicate whether the attribute is primary or secondary. For example, a value of
true
indicates that the attribute is a primary attribute. A value ofFalse
indicates that the attribute is a secondary attribute.
-
1.9 Connector Objects Used During Trusted Source Reconciliation
The following sections provide information about connector objects used during trusted source reconciliation:
1.9.1 User Attributes for Trusted Source Reconciliation
Table 1-7 lists user attributes for trusted source reconciliation.
Table 1-7 User Attributes for Trusted Source Reconciliation
OIM User Form Field | Siebel Attribute | Description |
---|---|---|
User ID |
Login Name |
Login ID |
First Name |
First Name |
First Name |
Last Name |
Last Name |
Last name |
Employee Type |
NA |
The default value is |
User Type |
NA |
The default value is |
Organization |
NA |
The default value is |
|
EMail Addr |
The e-mail address of the employee. |
1.9.2 Reconciliation Rule for Trusted Source Reconciliation
Learn about the reconciliation rule for trusted source reconciliation and how to view it.
1.9.2.1 Trusted Source Reconciliation Rule
The following is the process matching rule:
Rule name: Trusted Source recon Rule
Rule element: User Login Equals User ID
In this rule element:
-
User Login is the User ID field on the OIM User form.
-
User ID is the User ID field of Siebel.
1.9.3 Reconciliation Action Rules for Trusted Source Reconciliation
Learn about the reconciliation action rules for trusted source reconciliation and how to view them.
1.9.3.1 Trusted Source Reconciliation Action Rules
Table 1-8 lists the action rules for trusted source reconciliation.
Table 1-8 Action Rules for Trusted Source Reconciliation
Rule Condition | Action |
---|---|
No Matches Found |
Create User |
One Entity Match Found |
Establish Link |
One Process Match Found |
Establish Link |